1 signature scheme based on the root extraction problem over braid groups b.c. wang, y.p. hu iet...
DESCRIPTION
3 Induction Artin’s braid group Infinite non-commutative group Word problem is solvable RP and CSP are intractable over braid group CSP has an exponential computational complexity at least in the worst case The braid-based cryptography has been a hot issueTRANSCRIPT
1
Signature scheme based on the root extraction problem over braid groups
B.C. Wang, Y.P. HuIET Information security 2009, Vol 3, Iss 2, pp. 53-59
2
Outline Induction Preliminaries The proposed signature scheme Performance and parameter specification Security analysis Conclusion
3
Induction Artin’s braid group
Infinite non-commutative group Word problem is solvable
RP and CSP are intractable over braid group CSP has an exponential computational complexity
at least in the worst case The braid-based cryptography has been a hot issue
4
Induction Anshel et al. 1999 - 2003
The commutator key agreement protocol Generalised and axiomatically
Ko et al. 2000 The key exchange protocol PKC based on the computational DHCP
5
Induction Cha et al. 2001
The cryptosystem can be modified based on DP Ko et al. 2002
The signature scheme based on k-simultaneous CSP Dehornoy
The authentication protocol based on shifted CP Some other
The authentication protocol based on PR
6
Induction Hughes and Myasnikov et al.
The k-simultaneous CSP always provides the attackers sufficient information about the common comjugator braid
The Burau represenation The sufficiently many equations derived from the k-
simultaneous CSP allow the attacker to lift the Burau matrix rep. back to the Artin form
7
Induction Linear algebraic problem Diffie-Hellman type problem DP Shifted CSP Some authors even announced the death of the
subject It is hoped that cryptographic algorithm
constructed based on the RP should be more secure
8
Induction Two reasons to illustrate the insecurities of
previous braid PKC algorithm The security of these schemes is not tightly related
to the underlying intractable problem The public keys of some schemes reveal too much
information about the construction of the crpytographic algorithm The attacker can obtain many equations with respect to
the public and secret keys
9
Outline Induction Preliminaries The proposed signature scheme Performance and parameter specification Security analysis Conclusion
10
Preliminaries Let
len(u) = p, len(v) = q Compute the LCF of uv = O(pqnlogn) Compute the inverse u-1 of u = O(pn) 0 len(≦ uv) ≦ p + q len(u) len(≒ u-1)
1
1
...
...
kn p
ln q
u a a
v b b
11
Preliminaries Conjugancy search problem, CSP
Given x ~ y, find a conjugator z s.t. y = zxz-1
Root problem, RP Given y ∈ Bn, integer e 2 s.t. ≧ y = xe for some
unknow braid x
12
Outline Induction Preliminaries The proposed signature scheme Performance and parameter specification Security analysis Conclusion
13
The proposed signature scheme n : braid index e : integer, e 2≧ H : a collision-free one-way hash function
H : {0, 1}* → {0, 1}k
14
The proposed signature scheme Key generation
Randomly chooses k + 1 non-trivial braids b1, …, bk, r ∈ Bn, s.t. bi and bj commutate, i, j = 1, …, k.
Computes ai = rbier-1, i = 1, …, k
The public key is (a1, …, ak) The secret key is (b1, …, bk, r)
15
The proposed signature scheme Signing a message
To sign a given message m, Alice randomly choose a braid s ∈ Bn.
She calculates
The signature for the message m is (u, t)
11
1
1
( ) ... ,
i
k
khi
i
H m h h t sr
u s b s
16
The proposed signature scheme Verification
Bob computes
Verifies the equation
If the equation holds, he accepts the signature (u, t) as a valid signature for m. Otherwise, he rejects it.
1
1
i
khi
i
e
v a
u tvt
17
The proposed signature scheme Verification
1 1 1
1
1 1 1
1
1
1
1
1
1
1
i
i
i
i
i
khi
i
k hei
i
hkei
i
ekhi
i
ekhi
i
e
tvt sr a rs
sr rb r rs
s b s
s b s
s b s
u
18
Outline Induction Preliminaries The proposed signature scheme Performance and parameter specification Security analysis Conclusion
19
Performance and parameter specification Parameter specifications
How to find the bi and bj commutative, i, j = 1, …, k. Randomly choose commutative braids c1, …,cs,
where s << k, e.g. s ≒ k / 10. Randomly choose k s-dimensional vectors v1, …, vk,
where vi = (vi1, …, vis), i = 1, …, k, and vij are small integers.
Computes
we have k commutative braids b1, …, bk.
1
, 1,...,ijs
vi j
j
b c i k
20
Performance and parameter specification
Parameter specifications ci in the subgroup <σj1, …, σjl> ⊂ Bn satisfy the
requirement that for arbitrary ju and jv, ju ≠ jv, |ju - jv| 2.≧
The subgroup <σj1, …, σjl> is a commutative group.
21
Performance and parameter specification Suggested parameters
n = 90, e = 2, k = 80, s = k / 10 = 8, len(ci) = 2 vi = <vi1, …, vis> {0, 1}∈ 8, and 1≦vi1 + … + vis 3≦ bi has 8 + 28 + 56 = 92 > 80 choices len(bi) 3len(≦ ci) = 6 len(r) = 8, len(s) = 8 len(ai) = len(r) + e × len(bi) + len(r-1) = 28 The public key size = 80 × 28 = 2240 bits The secret key size = k × len(bi) + len(r) = 488 bits
22
Performance and parameter specification
Computational complexity and comparison 1024-RSA modular multiplication = 2.1 × 106 bit
operation Total computational cost to sign a message =
6.2×106 ≒ 3 1024-RSA modular multiplication The verifier need 3.7×107 ≒ 17 1024-RSA modular
multiplication
23
Outline Induction Preliminaries The proposed signature scheme Performance and parameter specification Security analysis Conclusion
24
Security analysis Key recovery attack
Attacker can not lift the Burau matrix rep. back to the Artin braids.
Attacker can not know the secret key by the public key.
25
Security analysis On forging a signature
For a given message m, an attacker can forge a valid signature (u, t) iff he can extract the eth root for the braid v ∈ Bn
On extracting the eth root The attacker can not use the knowledge of the
signature to solve the RP.
26
Security analysis Security comparison and remarks
27
Outline Induction Preliminaries The proposed signature scheme Performance and parameter specification Security analysis Conclusion
28
Conclusions 詳細介紹 braid group的興衰 提出前人的不足
Loosely dependent on the hard problem Public key leak too much information
提出簡單的証明方式